Scenario 1
Military intelligence agencies, during a time of peace. -- BORING
This is exactly like running a network when there are no major projects. There are some things you will check daily, and some paperwork to be done, a question here, a minor problem there, and even the occasional meeting. But for weeks at a time, you are not even sure if you could justify your own salary. Sure, you try to keep your skills up to date by reading and running 'drills' and practice runs of what you 'might' be required to deal with some day, but once you've done all you could creatively conceive of you're ultimately bored to tears, and wondering when the axe will fall.
Granted, I am a much smaller entity than a Military Intelligence agency, and many minds can think up more scenarios than one mind, even one that does not think conventionally. Invariably, if I am good at my job, I will leave the impression that my job is to do nothing but consume money and space and therefore is not actually required.
I could always 'create' work for myself. I would need very little time to unleash a problem that needs to be solved and create the illusion of how my job is a fundamental requirement within the corporation. All it would require, is that I turn off my moral compass for just a few minutes and act as my own enemy, then hide that fact. Since I would be the very same person called upon to investigate the problem after having fixed it, I could easily hide or plant evidence in the digital annals of the network. Since I am only a single person, it would be very easy to keep my story straight; an advantage over that of a large Military Intelligence agency.
There is a problem with all of this, at least from my vantage point: I am honest. I would rather that my job justified itself the day after I am 'sent home' when one of the things nobody sees me do, is not done, even if that does not lead to my being called back, than turn off my moral compass. I know that I frequently walk the thin grey line between righteous and criminal intention. I know that I frequently peek over the fence to see what tactics I must defend against, and that I do attempt to get into the minds of those who would cause harm to that which I am charged to protect. I know and use tactics that, were I not given authority (and permission) to do with company property, would be prosecutable. If I did to an outside corporate network, what I routinely do to 'my' inside corporate network it would break the law.
Again, the line is very, very thin, and not extraordinarily visible. It even gets blurry in places. So as not to forget how to recognize the line, I have never dared to cross it. Military intelligence agencies have been caught crossing this very similar line many times.
Scenario 2
Military intelligence agencies and the 'illusion' of security. --or-- I know what I know... So I couldn't possibly be the only person who knows.
Security in almost any form, is an illusion. It is far more a state of emotion than a physical entity or thing. All the way back to the lock and key, the illusion of security has been sold. So long as we believe we are protected we feel safe. Locking the door is only a mild deterrent to would be thieves, turning on the alarm, a second mild deterrent added to the first. While these do prevent 'everybody' from just walking in and preparing dinner and leaving me a stack of dirty dishes while I am not at home, they won't deter a good (or a desperate) thief.
As pertains to my work, there are firewalls, antivirus, GPO settings, complex passwords, expiring passwords, patching systems, and even a computer and network usage policy signed by the users. Yet, viruses, trojans, and spyware still find their way in, and ultimately I do not presume any of this prevents a user from printing something to take home and sell it to a competitor, but then it becomes a different type of security that nobody asked 'me' to provide. All of these overlapping technologies and methods do present the required 'illusion' of security and that was the only thing that was required. I am in place to guard the illusion and repair the cracks as they may appear. I do not ascribe to the idea that the system in place will ever be perfect, which is why it's most frequently called 'industry standard' or 'best practice'.
I do test the perimeter as is mandated by my job. I do make changes to the digital rules of the systems as new attacks are published. I even occasionally ensnare viruses to be analyzed (with hex editors and programming tools) for educational purposes. I even actively seek viruses and their delivery methods in order to create training materials for my user base, in hopes of thwarting problems before they might surface.
Again this thin pale line rears itself right here. I do not seek any of this with malicious intent. I do not even seek this out in the effort to fear-monger a salary justification (or increase). I do this in the interest of my network, my education, and the education of those I serve. (my 'the people' are the users of my network, and the corporation who employs me at the same time, thus I try to waste as little time and productivity as humanly possible, but justify what I do waste on a much larger waste should something go terribly wrong).
The only real differences in this situation is: while the I.T. department might attempt to be 'transparent' nobody else understands what they said. Military intelligence agencies are much more secretive. (although, I am not sure whether intelligence briefings to the executive branch are not also 'encoded' in some manner, some might argue that they in fact are. Think of the movies, when the mafia when they know they are being wire tapped, their conversations tend to not say anything in any direct manner, but knowing the code will provide the information needed). The second difference is that I do not try to sell the idea that I can make the present 'illusion' of security be perceived any more greatly than it is already. Any additional layers will be disrupting the end-users with stupid questions like 'something you clicked on needs access to the network, [allow] [deny]' (akin to: you are about to board an airplane, would you like to be [radiated] [groped]?) when most of them already hate the password requirements.
Scenario 3
Mysticism, myths, legends, and slight of hands.
Just today I was actually working (dissecting a laptop into a gazillion pieces) when somebody came to my office to tell me that their computer froze. Since I had small parts spread all over my desk that I did not want to lose. I responded 'have you checked on it since you came to advise me? It's probably good now.' To be honest, I suspected that I would walk over there and find nothing wrong and a computer that was working, albeit not as fast as the user wanted. When asked to explain what I did, I interspersed some random industry words of 4 or more syllables with clairvoyance, which went over their head. Then I stated bluntly "It's why I'm here actually."
The lie: I am clairvoyant. The Mysticism: what were all those other words? The slight of hands: I did not do anything at all. The legend: I fixed something that somebody did not understand instantaneously and did not even need to move to do it, I must be a god. Bonus: again I did not actually do anything.
The only way I did not ensnare that user, is if they called my bluff with a resounding 'BULLSHIT! Start to finish, an outright fabrication!' because to be honest, I had a 50/50 chance that I was even correct in my initial assumption. In this case I would have been happy if she'd called my bluff, she's far too timid... (another interesting contrasting but comparative statement right there... Comparative: timid like those afraid to say 'BULLSHIT!' to government propaganda, contrasting: this will never result in me being hung for treason, so I do not have a large personal stake requiring that I never get caught)
This was propaganda. Better still, it was propaganda under the pretense that I was too self-important to go and look at it right now (like when governments enact some unpopular law, or take some action of aggression against the will of the public and claims only it knows the greater good). This kind of exercise has become routine for not only Military intelligence, but entire governments. The only difference when I do it, most people know I am joking, and I am not in any position of 'ultimate and unyielding power and authority'. I am also not afraid to admit to exaggerating, or making up convoluted sentences filled with words the general population does not comprehend because I had no real answer. I am not even afraid to admit when I'm wrong, or don't know the answer. I might understand the machines, but I remain irrevocably human (nobody knows everything).
Conclusion
I do not actually buy the 'greater-good' excuse for action without wisdom; I do not buy the concept that owning more security is greater than or equal to having more security; I do believe that acting to prove your own importance by staging a situation for you to leap into action leads down a long dark path that has no end, and not enough room to turn around and find your way back from.
Simply voting the bastards out would only deliver a portion of the solution. There are many bureaucrats who simply change the portrait on their wall after the changing of the guard. Not to mention the number of bills, laws, proposals, executive orders, and budgetary commitments passed and approved by previous administrations which often have some end date of 20 years later.
So I will part with the last bit of I.T. wisdom: maybe the system needs a reboot or possibly a complete reformatting.
No comments:
Post a Comment